WO 2004/112309 



1 



PCT/KR2004/001296 



Description 

[1] RIJNDAEL BLOCK CIPHER APPARATUS AND ENCRYPTION/ 

DECRYPTION METHOD THEREOF 
[2] Technical Field 

[3] The present invention relates generally to a rijndael block cipher apparatus and an 

encryption/decryption method thereof, and more particularly to a rijndael block cipher 
apparatus which is mounted in a cellular phone, PDA, smart card, and so on, and 
which can encrypt and decrypt important data that requires security at high speed, and 
an encryption/decryption method thereof. 

[4] Background Art 

[5] Rijndael algorithm is a symmetric secret-key encryption algorithm that was 

developed by Joan Daemen and Vincent Rijmen who are Belgian encryption 
developers, and then selected as a new AES (Advanced Encryption Standard) by 
American NIST (National Institute Standards and Technology) in October, 2000 or 
thereabouts. 

[6] The rijndael algorithm supports a variable block length of an SPN 

(Substitution-Permutation Network) structure, and enables the use of 128-bit, 192-bit, 
and 256-bit keys with respect to respective block lengths. 

[7] The number of rounds in the rijndael algorithm is determined by key lengths, and in 

the case of using the 128-bit block, it is recommended to use 10, 12 and 14 rounds 
with respect to the 128-bit, 192-bit and 256-bit keys, respectively. 

[8] Recently, it is known that the rijndael algorithm causes no problem in security even 

if the 128-bit key is used, and thus researches for hardware implementation of the 
rijndael algorithm using the key having a length of 128 bits has already been under 
way. 

[9] Since the rijndael algorithm encrypts/decrypts data for the rijndael block 

encryption/decryption by repeating round operations, and is especially provided for 
supporting the variable block length of the SPN structure, the encryption process of a 
rijndael block cipher is different from the decryption process thereof. Typically, a 
round operation for the encryption process of the rijndael block cipher is composed of 
four transforms of substitution, shift.row, mixcobmn and add-round-key, and a round 
operation for the decryption process is composed o four transforms of inverse- 
shift.row, inverse substitution, add-round-key and inverse mixcobmn. According to 
methods of performing these transforms, times required for the round operation for the 
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[11] 



[12] 



[13] 



ryndael block cipher and hardware resources to be used differ, and further the method 
of performing the transform is vital to the performance of a rijndael cipher processor 
Accordingly, it is important to reduce the amount of hardware resource required for the 
implementation of the round operation and the time required for performing of the 
round operation. 

[ 1 0] Disclosure of the Invention 

Therefore, the applicant has developed a rijndael block cipher apparatus including 
an operational unit that efficiently performs a round operation for encrypting/ 
decrypting the rijndael block cipher and an encryption/decryption method thereof 

It is an object of the present invention is to solve the problems involved in the prior 
art and to provide a rijndael block cipher apparatus which is mounted in a mobile 
terminal such as a cellular phone and a PDA or a smart card, which requires a high- 
rate and small-sized cipher processor, and which can encrypt and decrypt important 
data that requires security at high speed, and an encryption/decryption method thereof 

In order to accomplish the above-mentioned object, a rijndael block cipher 
apparatus according to an embodiment of the present invention comprises a round 
operation unit for transforming a 128-bit input key into a 128-bit round key for 
encryption or decryption, and storing the 128-bit round key according to a value of a 
mode signal from a time when a round operation start signal, a round number signal 
and a bit selection signal for dividing the 128-bit input data into upper 64 bits and 
lower 64 bits and selecting the upper or lower 64 bits are inputted after an encryption 
or decryption operation start signal and the mode signal are inputted, encrypting the 
128-bit input data by dividing the 128-bit input data into the upper 64 bits and the 
lower 64 bits and by performing a round operation which is composed of transforms of 
shift_row, substitution, mixcolumn and add-round-key with respect to the divided 
upper 64 bits and lower b4 bits, respectively, and decrypting the 128-bit input data by 
dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and by 
performing a round operation which is composed of transforms of inverse-shift.row 
inverse substitution, add-round-key and inverse mixcolumn with respect to the divided 
upper 64 bits and lower b4 bits, respectively; a round operation control unit for 
controlling the round operation of the round operation unit by transmitting the round 
operation start signal, the round number signal and the bit selection signal for dividing 
the 128-bit input data into the upper 64 bits and lower 64 bits and selecting the upper 
or lower 64 bits to the round operation unit from a time when the encryption or 
decryption operation start signal and the mode signal are inputted; a 64-bit data 
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register for storing intermediate encryption or decryption data of the upper 64-bit input 
data generated during each round operation performed by the round operation unit- and 
a 128-bit data register for storing intermediate encryption or decryption data of the 
lower 64-bit input data generated during each round operation performed by the round 
operation unit as its lower 64 bits, and storing the encryption or decryption data 
generated as a result of a last round operation and stored in the 64-bit data register as 
its upper 64-bit data. 

[14] In order to accomplish the above-mentioned object, a rijndael block encryption 

method according to a first embodiment of the present invention comprises the steps of 
if a four-clock round operation start signal and a round number signal are inputted 
from a round operation control unit after an encryption or decryption operation start 
signal and a mode signal are inputted through a bus, a round key generation unit of a 
round operation unit transforming a 128-bit input key into a 128-bit round key for 
encryption in accordance with a value of the mode signal inputted through the bus 
from a time when a first clock of the round operation start signal becomes T, and 
storing the 128-bit round key in an internal 128-bit round key register; if the four-clock 
round operation start signal and a bit selection signal are inputted from the round 
operation control unit, a shift/inverse-shift_row transform unit performing a byte-shift 
of upper 64-bit data of 128-bit input data inputted through the bus and outputting the 
byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes 
T , and a substitution/inverse-substitution transform unit successively performing a 
substitution of the upper 64-bit data, outputting the substituted upper 64-bit data to a 
first demultiplexer, and storing the substituted upper 64-bit data in a 64-bit data 
register; when a second clock of the round operation start signal becomes T , a mix/ 
inverse-mixcokimn transform unit performing a mixcolumn of the upper 64-bit data 
outputted through an encryption output terminal of the first demultiplexer and stored in 
the 64-bit data register, outputting the mixcolumn-transformed upper 64-bit data to a 
second demultiplexer, and storing the mixcolumn-transformed upper 64-bit data in the 
64-bit data register, the shift/inverse-shift_row transform unit simultaneously 
performing a byte-shift of lower 64-bit data of the 128-bit input data inputted through 
the bus and outputting the byte-shifted lower 64-bit data through the first multiplexer 
and the substitution/inverse-substitution transform unit successively performing a sub- 
stitution of the lower 64-bit data, outputting the substituted lower 64-bit data to the 
first demultiplexer, and storing the substituted lower 64-bit data in lower 64 bits of a 
128-bit data register; when a third clock of the round operation start signal becomes T 
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. an add-round-key transform unit performing an addition of the upper 64-bit data 
outputted through an encryption output terminal of the second demultiplexer and 
stored in the 64-bit data register to upper 64-bit round key generated by the round key 
generation unit and storing the added upper 64-bit data in upper 64 bits of the 128-bit 
data register, and a mix/inverse-mixcolumn transform unit simultaneous performing 
a mixcobmn of the lower 64-bit data outputted through the encryption output terminal 
of the fi«t demultiplexer and stored in the 128-bit data register, outputting the 
mixcobmn-transformed lower 64-bit data to the second demultiplexer, and storing the 
mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data 
register; and when a fourth clock of the round operation start signal becomes T the 
add-round-key transform unit performing an addition of the lower 64-bit data 
outputted through the encryption output terminal of the second demultiplexer and 
stored in the 128-bit data register to lower 64-bit round key generated by the round key 
generation unit and storing the added lower 64-bit data in the lower 64 bits of the 
128-bit data register. 

[15] In order to accomplish the above-mentioned object, a rijndael block decryption 

method according to a first embodiment of the present invention comprises the steps of 
if a four-clock round operation start signal and a round number signal are inputted 
from a round operation control unit after an encryption or decryption operation start 
signal and a mode signal are inputted through a bus, a round key generation unit of a 
round operation unit transforming a 128-bit input key into a 128-bit round key for 
decryption in accordance with a value of the mode signal inputted through the bus 
from a time when a first clock of the round operation start signal becomes T and 
storing the 128-bit round key in an internal 128-bit round key register; if the four-clock 
round operation start signal and a bit selection signal are inputted from the round 
operation control unit, a shift/inverse-shift_row transform unit performing a byte- 
inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus and 
outputting the byte-inverse-shifted upper 64-bit data through a first multiplexer when 
the first clock becomes , T and a substitution/inverse-substitution transform unit suc- 
cessively performing an inverse substitution of the upper 64-bit data, outputting the 
inverse-substituted upper 64-bit data to a first demultiplexer, and storing the inverse- 
substituted upper 64-bit data in a 64-bit data register; when a second clock of the round 
operation start signal becomes T , an add-round-key transform unit performing an 
addition of the upper 64-bit data outputted through a decryption output terminal of the 
first demultiplexer and stored in the 64-bit data register to upper 64-bit round key 
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generated by the round key generation unit, outputting the added upper 64-bit data to a 
thud demultiplexer, and storing the added upper 64-bit data in the 64-bit data register 
the shift/inverse-shift.row transform unit simultaneous performing a byte- 
mverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus 
and outputting the byte-inverse-shifted lower 64-bit data through the first multiplexer 
and the substitution/inverse-substitution transform unit successively performing an ' 
inverse substitution of the lower 64-bit data, outputting the inverse-substituted lower 
64-bit data to the first demultiplexer, and storing the inverse-substituted lower 64-bit 
data in lower 64 bits of a 128-bit data register; when a third clock of the round 
operation start signal becomes T , a mix/inverse-mixcolumn transform unit 
performing an inverse mixcobmn of the upper 64-bit data outputted through a 
decryption output terminal of the third demultiplexer and stored in the 64-bit data 
register, outputting the inverse-mixcolumn-transformed upper 64-bit data through a 
second demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit 
data in upper 64 bits of the 128-bit data register, and the add-round-key transform unit 
simultaneous performing an addition of the lower 64-bit data outputted through the 
decryption output terminal of the first demultiplexer and stored in the 128-bit data 
register to lower 64-bit round key generated by the round key generation unit 
outputting the added lower 64-bit data through the third demultiplexer, and st oring the 
added lower 64-bit data in the lower 64 bits of the 128-bit data register; and when a 
fourth clock of the round operation start signal becomes T , the mix/ 
inverse-mixcolumn transform unit performing an inverse mixcolunn of the lower 
64-bit data outputted through the decryption output terminal of the third demultiplexer 
and stored in the 128-bit data register, outputting the inverse-mixcolumn-transformed 
lower 64-bit data through a second demultiplexer, and storing the inverse- 
mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data 
register. 

In order to accomplish the above-mentioned object, a rijndael block encryption 
method according to a second embodiment of the present invention comprises the steps 
of if a three-clock round operation start signal and a round number signal are inputted 
from a round operation control unit after an encryption or decryption operation start 
Signal and a mode signal are inputted through a bus, a round key generation unit of a 
round operation unit transforming a 128-bit input key into a 128-bit round key for 
encryption in accordance with a value of the mode signal inputted through the bus 
from a tune when a first clock of the round operation start signal becomes T and 
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round operation unit transforming a 128-bit input key into a 128-bit round key for 
decryption in accordance with a value of the mode signal inputted through the bus 
from a time when a first clock of the round operation start signal becomes T, and 
storing the 128-bit round key in an internal 128-bit round key register; if the three- 
clock round operation start signal and a bit selection signal are inputted from the round 
operation control unit, a shift/inver Se -shift_row transform unit performing a byte- 
inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus, and 
outputtmg the byte-inverse-shifted upper 64-bit data through a first multiplexer when 
the first clock becomes T , and a substitution/inverse-substitution transform unit suc- 
cessively performing an inverse substitution of the upper 64-bit data, outputting the 
inverse-substituted upper 64-bit data to a first demultiplexer, and storing the inverse- 
substituted upper 64-bit data in a 64-bit data register; when a second clock of the round 
operation start signal becomes T , an add-round-key transform unit performing an 
add-on of the upper 64-bit data outputted through a decryption output terminal of the 
first demultiplexer and stored in the 64-bit data register to upper 64-bit round key 
generated by the round key generation unit, and outputting the added upper 64-bit data 
to a third demultiplexer, a mix/inverse-mixcolumn transform unit successively 
performing an inverse mixcolumn of the added upper 64-bit data, outputting the 
inverse-mixcolumn-transformed upper 64-bit data through a second demultiplexer, and 
stonng the inverse-mixcolumn-transformed upper 64-bit data in the 64-bit data 
register, the shift/inverse-shift_row transform unit simultaneous performing a byte- 
inverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus 
and outputting the byte-inverse-shifted lower 64-bit data through the first multiplexer 
and the substitution/inverse-substitution transform unit successively performing an ' 
inverse substitution of the lower 64-bit data, outputting the inverse-substituted lower 
64-b,t data to the first demultiplexer, and storing the inverse-substituted lower 64-bit 
data in lower 64 bits of a 128-bit data register; and when a third clock of the round 
operation start signal becomes T , the add-round-key transform unit performing an 
addition of the lower 64-bit data outputted through the decryption output terminal of 
the first demultiplexer and stored in the 128-bit data register to lower 64-bit round key 
generated by the round key generation unit and outputting the added lower 64-bit data 
to the third demultiplexer, the mix/inverse-mixcolumn transform unit successively 
performing an inverse mixcolumn of the added lower 64-bit data, outputting the 
inverse-mixcolumn-transformed lower 64-bit data through a second demultiplexer, and 
stonng the inverse-mixcolumn-transformed lower 64-bit data in the lower 64 bits of 
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the 128-bit data register, and simultaneously storing the upper 64-bit data stored in the 
64-bit data register in upper 64 bits of the 128-bit data register. 
[18] In order to accomplish the above-mentioned object, a rijndael block encryption 

method according to a third embodiment of the present invention comprises the steps 
of if a two-clock round operation start signal and a round number signal are inputted 
from a round operation control unit after an encryption or decryption operation start 
signal and a mode signal are inputted through a bus, a round key generation unit of a 
round operation unit transforming a 128-bit input key into a 128-bit round key for 
encryption in accordance with a value of the mode signal inputted through the bus 
from a time when a first clock of the round operation start signal becomes T and 
storing the 128-bit round key in an internal 128-bit round key register; if the two-clock 
round operation start signal and a bit selection signal are inputted from the round 
operation control unit, a shiMnverse-shift.row transform unit performing a byte-shift 
of upper 64-bit data of 128-bit input data inputted through the bus and outputting the 
byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes 
'I' , a substitution/inverse-substitution transform unit successively performing a sub- 
stitution of the upper 64-bit data, and outputting the substituted upper 64-bit data 
through a first demultiplexer, a mix/inverse-mixcoLmn transform unit performing a 
mixcobmn of the upper 64-bit data outputted through an encryption output terminal of 
the first demultiplexer, and outputting the mixcobmn-transformed upper 64-bit data to 
a second demultiplexer, and an add-round-key transform unit successively performing 
an addition of this upper 64-bit data to an upper 64-bit round key generated by the 
round key generation unit, and storing the added upper 64-bit data in a 64-bit data 
register; and when a second clock of the round operation start signal becomes T the 
shift/inverse-shift_row transform unit performing a byte-shift of lower 64-bit data of 
the 128-bit input data inputted through the bus and outputting the byte-shifted lower 
64-bit data through the first multiplexer, and the substitution/inverse-substitution 
transform unit successively performing a substitution of the lower 64-bit data, and 
outputting the substituted lower 64-bit data to the first demultiplexer, the mix/ 
inverse-mixcolumn transform unit successively performing a mixcolumn of the lower 
64-bit data, and outputting the mixco ^transformed lower 64-bit data to the second 
demultiplexer, the add-round-key transform unit successively performing an addition 
of this lower 64-bit data to lower 64-bit round key generated by the round key 
generation unit, and storing the added lower 64-bit data in lower 64 bits of a 128-bit 
data register, and simultaneoudy storing the upper 64-bit data stored in the 64-bit data 
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register in upper 64 bits of the 128-bit data register. 

In order to accomplish the above-mentioned object, a rijndael block decryption 
mefcod according to a second embodiment of the present invention comprises the steps 
of if a two-clock round operation start signal and a round number signal are inputted 
from a round operation control unit after an encryption or decryption operation start 
signal and a mode signal are inputted through a bus, a round key generation unit of a 
round operation unit transforming a 128-bit input key into a 128-bit round key for 
decryption in accordance with a value of the mode signal inputted through the bus 
from a time when a first clock of the round operation start signal becomes T and 
stonng the 128-bit round key in an internal 128-bit round key register; if the two-clock 
round operation start signal and a bit selection signal are inputted from the round 
operation control unit, a shift/inverse-shift.row transform unit performing a byte- 
mverse-shift of upper 64-bit data of 128-bit input data inputted through the bus and 
outputtmg the byte-inverse-shifted upper 64-bit data through a first multiplexer when 
the first clock becomes T , a substitution/inverse-substitution transform unit suc- 
cessively performing an inverse substitution of the upper 64-bit data, and outputting 
the mverse-substituted upper 64-bit data to a first demuttiplexer, an add-round-key 
transform unit successively performing an addition of the upper 64-bit data outputted 
tough a deception output terminal of the first demuMplexer to an upper 64-bit round 
key generated by the round key generation unit, and outputting the added upper 64-bit 
data to a third demuMplexer, and a mix/inverse-mixcolumn transform unit suc- 
cessively performing an inverse mixcolumn of the added upper 64-bit data, outputting 
the inverse-mixcolumn-transformed upper 64-bit data through a second demultiplexer 
and stonng the inverse-mixcolumn-transformed upper 64-bit data in a 64-bit data 
regxster; and when a second clock of the round operation start signal becomes T the 
shift/mverse-shift_row transform unit performing a byte-inverse-shift of lower 64-bit 
data of the 128-bit input data inputted through the bus and outputting the byte- 
inverse-shifted lower 64-bit data through the first multiplexer, the substitution/ 
—substitution transform unit successively performing an inverse substitution of 
the lower 64-bit data, and outputting the inverse-substituted lower 64-bit data to the 
first demultiplexer, the add-round-key transform unit successively performing an 
addition of the lower 64-bit data outputted through the decryption output terminal of 
the first demultiplexer to a lower 64-bit round key generated by the round key 
generation unit, and outputting the added lower 64-bit data to the third demultiplexer 
the mrx/inverse-mixcolumn transform unit successively performing an inverse 
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mixcolumn of the added lower 64-bit data, outputting the inverse- 
mixcolumn-transformed lower 64-bit data through a second demultiplexer, and storing 
the inverse-mixco ^transformed lower 64-bit data in lower 64 bits of a 128-bit data 
register, and simultaneously storing the upper 64-bit data stored in the 64-bit data 
register in upper 64 bits of the 128-bit data register. 
[20] Brief Description of the Drawings 

[21] The above object, other features and advantages of the present invention will 

become more apparent by describing the preferred embodiments thereof with reference 
to the accompanying drawings, in which: 
[22] FIG. 1 is a view illustrating the construction of a rijndael block cipher apparatus 

according to the present invention. 
[23] FIG. 2 is a view illustrating the construction of a round operation unit. 

[24] FIG. 3 is a view illustrating the construction of a round key generation unit. 

[25] FIG. 4 is a first timing diagram illustrating a method of encrypting a rijndael block 

cipher according to the present invention. 
[26] FIG. 5 is a first timing diagram illustrating a method of decrypting a rijndael block 

cipher according to the present invention. 
[27] FIG. 6 is a second timing diagram illustrating a method of encrypting a rijndael 

block cipher according to the present invention. 
[28] FIG. 7 is a second timing diagram illustrating a method of decrypting a rijndael 

block cipher according to the present invention. 
[29] FIG. 8 is a third timing diagram illustrating a method of encrypting a rijndael block 

cipher according to the present invention. 
[30] FIG. 9 is a third timing diagram illistrating a method of decrypting a rijndael block 

cipher according to the present invention. 
[3 1 ] Best Mode for Carrying Out the Invention 

[32] Now, a rijndael block cipher apparatus and an encryption/decryption method 

thereof according to preferred embodiments of the present invention will be described 
in detail with reference to the annexed drawings. 

[33] Referring to FIG. 1, the rijndael block cipher apparatus according to the present 

invention is primary intended to perform all round operations for encrypting and 
decrypting input data for rijndael block encryption/decryption in the unit of 64 bits, 
and to generate round keys required for the round operations simultaneously with 
performing the round operations. 

[34] A round operation unit 100 transforms a 128-bit input key into a 128-bit round key 
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RK for encryption or decryption and stores the 128-bit round key according to a value 
of a mode signal from a time when a round operation start signal Round start, a round 
number signal Round_number and a bit selection signal sel for dividing the 128-bit 
input data into upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits 
for each round operation are inputted after an encryption or decryption operation start 
signal start and the mode signal are inputted through a bus 200 for rijndael block 
encryption/decryption. 

If the vabe of the mode signal indicates V, the round operation unit 100 encrypts 
the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the 
lower 64 bits and performing a round operation which is composed of transforms of 
shift.row, substitution, mixcobmn and add-round-key with respect to the divided 
upper 64 bits and lower b4 bits, respectively. 

If the vabe of the mode signal indicates T , the round operation unit 100 decrypts 
the 128-bU input data by dividing the 128-bit input data into the upper 64 bits and the 
lower 64 bits and performing a round operation which is composed of transforms of 
inverse shxft_row, inverse substitution, add-round-key and inverse mixcobmn with 
respect to the divided upper 64 bits and lower b4 bits, respectively. 
[37] A round operation control unit 300, if the encryption or decryption operation start 

signal and the mode signal are inputted through the bus 200, controls the round 
operation of the round operation unit 100 by transmitting the round operation start 
signal Round_start, the round number signal Round_number and the bit selection 
signal for dividing the 128-bit input data into the upper 64 bits and the lower 64 bits 
and selecting the divided upper or lower 64 bits for each round operation to the round 
operation unit 100 from the time when the encryption or decryption operation start 
signal and the mode signal are inputted. 
[38] A 64-bit data register 400 stores intermediate encryption or decryption data of the 

upper 64-bit input data generated during each round operation performed by the round 
operation unit 100. 

A 128-bit data register 500 stores intermediate encryption or decryption data of the 
lower 64-bit input data generated during each round operation performed by the round 
operation unit 100 as its lower 64 bits, and stores the encryption or decryption data 
generated as a result of a last round operation and stored in the 64-bit data register 400 
as its upper 64 bits. 

Referring to FIG. 2, a round key generation unit 1 10 of the round operation unit 100 
transforms the 128-bit input key into the 128-bit round key RK according to the vabe 
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of the mode signal inputted through the bus 200 and stores the 128-bit round key in an 
internal 128-bit round key register if the round operation start signal and the round 
number signal are inputted from the round operation control unit 300 
[41] A shifl/inverse-shift_row transform unit 120 of the round operation unit 100 if the 

round operation start signal and a bit selection signal are inputted from the round 
operation control unit 300, performs a byte-shift of the upper 64 bits and the lower 64 
bxts divided from the 128-bit input data inputted through the bus 200 by different 
numbers according to the value of the mode signal inputted through the bus 200 and 
outputs the byte-shifted upper 64 bits and lower 64 bits through a first multiplexer 121 
the output of which is controlled according to the value of the bit selection signal 
[42] A substitution/inverse-substitution transform unit 130 of the round operation unit 

100 performs a substitution or an inverse substitution of the upper 64-bit data and the 
lower 64-bit data outputted from the shift/inverse-shift_row transform unit 120 using a 
substitution box (S-box) or an inverse-substitution box (Si-box) that provides a one- 
byte output with respect to a one-byte input. 
[43] A first demultiplexer 140 of the round operation unit 100 outputs the upper 64-bit 

data or the lower 64-bit data outputted from the substitution/inverse-substitution 
transform unit 130 through either of its encryption output terminal '0' and its 
decryption output terminal T according to the value of the mode signal 
[44] A mix/inverse-mixcolumn transform unit 150 of the round operation unit 100 

performs a mixcolumn of the upper 64-bit data or the lower 64-bit data inputted 
through the encryption output terminal '0' of the first demultiplexer 140, or performs 
an inverse mixcolumn of the upper 64-bit data or the lower 64-bit data that has been 
add-round-key-transformed. 

A second demultiplexer 160 of the round operation unit 100 outputs the upper 
64-bit data or the lower 64-bit data outputted from the mix/inverse-mixcolumn 
transform unit 150 through either of its encryption output terminal '0' and its 
decryption output terminal T according to the value of the mode signal 

An add-round-key transform unit 170 of the round operation unit 100 performs an 
addiuon of the upper 64-bit data or the lower 64-bit data inputted through the 
decryption output terminal T of the first demultiplexer 140 or the encryption output 
terminal '0' of the second demultiplexer 160 to the 128-bit round key RK for 
encryption or decryption outputted from the round key generation unit 1 10 

A third demultiplexer 180 of the round operation unit 100 outputs the upper 64-bit 
data or the lower 64-bit data outputted from the add-round-key transform unit 170 



[45] 



[46] 



[47] 



WO 2004/112309 

13 PCI7KR2004/001296 



[48] 



[49] 



[50] 



through either of its encryption output terminal '0' and its decryption output terminal T 
according to the value of the mode signal 

Referring to FIG. 3, a 128-bit prekey register 1 1 1 of the round key generation unit 
1 10 stores the 128-bit input key inputted through the bus 200 as a prekey for 
transforming the 128-bit input key into the 128-bit round key RK for encryption or 
decryption, and stores the 128-bit round key RK generated after each round operation 
as a prekey for generating the round key used in the next round operation 

A 128-bit round key register 1 1 la of the round key generation unit 1 10 stores the 

128-bit round key RK for encryption or decryption for each round operation In FIG 3 
the 128-bit round key RK to be stored in the 128-bit round key register 1 1 1 a is backed ' 
up to the 128-bit prekey register 1 1 1 after each round operation, and is used as a round 
key (,.e., prekey) of the previous round in the next round operation 

A constant storage unit 1 12 of the round key generation unit 1 10 stores constant 
values Rcon determined according to the order of the round indicated by the round 
number signal inputted from the round operation control unit 300. It is preferable that 
the constant storage unit 1 12 comprises a ROM. 
[51] A second multiplexer 113 of the round key generation unit 110 is controlled 

according to the value of the mode signal inputted through the bus 200, and selects and 
outputs either of 32-bit keys for encryption or decryption inputted from the 128-bit 
prekey register 1 1 1 and the 128-bit round key register 1 1 la. 

A shifter 1 14 of the round key generation unit 1 10 performs a cyclic shift of the 
32-bit key inputted through the second multiplexer 1 13 to the left by one byte 

A substitution transform unit 1 15 of the round key generation unit 1 10 is composed 
of substitution boxes (S-boxes) for performing the substitution operation, and performs 
a substitution of the 32-bit key shifted by the shifter 1 14 
[54] A first XOR gate 1 16 of the round key generation unit 1 10 performs an XOR 

operation of the most significant byte of the 32-bit key outputted from the substitution 
transform unit 1 15 with the constant value stored in the constant storage unit 1 12 
A round XOR operation unit 1 17 of the round key generation unit 1 10 newly 
generates the 128-bit round key RK for encryption or decryption to be stored in the 
128-bit round key register 1 1 la for each round of the round operation by performing 
an XOR operation using a 32-bit value obtained by adding output bits of the first XOR 
gate 1 16 to the remaining 24 bits except for the most significant byte of the sub- 
stitution transform unit 1 15, the 128-bit round key (i.e., prekey) of the previous round 
stored in the 128-bit prekey register 1 1 1, and the 128-bit round key RK of the new 
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round stored in the 128-bit round key register 1 1 la. 

A second XOR gate 1 18 of the round XOR operation unit 1 17 generates the most 
significant 32-bit round key RKO of the 128-bit round key for encryption or 
decryption of the new round by performing an XOR operation of the 32-bit value 
obtained by adding the output bits of the first XOR gate 1 16 to the remaining 24 bits 
except for the most significant byte of the substitution transform unit 115, with the 
most significant 32-bit round key PKO of the 128-bit round key of the previous round 
[57] A third XOR gate 1 18a of the round XOR operation unit 1 17 generates a 32-bit 

d.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key for encryption of the 
new round by performing an XOR operation of the most significant 32-bit (i e 127 th 
bit to 96 bit) round key RKO of the 128-bit round key of the new round with a 32-bit 
(i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits of the 
128-bit round key of the previous round. 
[58] The third XOR gate 1 18a also generates a 32-bit (i.e., 95 th bit to 64* bit) round key 

RK1 of the 128-bit round key for decryption of the new round by performing an XOR 
operation of the most significant 32-bit (i.e., 127 ,h bit to 96* bit) round key PKO of the 
128-bit round key of the previous round with a 32-bit (i.e., 95 th bit to 64 th bit) round 
key PKl next to the most significant 32bits. 
[59] A third multiplexer 1 19 of the round XOR operation unit 1 17 is controlled 

according to the value of the mode signal inputted through the bus 200, and selectively 
determines input signals of the third XOR gate 1 1 8a. 
[60] A fourth XOR gate 1 1 8b of the round XOR operation unit 1 17 generates a 32-bit 

d.e., 63 bit to 32 nd bit) round key RK2 of the 128-bit round key for encryption of the 
new round by performing an XOR operation of a 32-bit (i.e., 95* bit to 64 th bit) round 
key RK1 of the 128-bit round key of the new round with a 32-bit (i.e., 63 rd bit to 32 nd 
bit) round key PK2 of the 128-bit round key of the previous round. 
[61] The fourth XOR gate 1 18b also generates a 32-bit (i.e., 63* bit to 32 nd bit) round 

key RK2 of the 128-bit round key for decryption of the new round by performing an 
XOR operation of a 32-bit (i.e., 95* bit to 64 th bit) round key PKl of the 128-bit round 
key of the previous round with a next 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 
[62] A fourth multiplexer 1 19a of the round XOR operation unit 1 17 is controlled 

according to the value of the mode signal inputted through the bus 200, and selectively 
determines input signals of the fourth XOR gate 1 1 8b. 

A fifth XOR gate 118c of the round XOR operation unit 1 17 generates a 32-bit (i e 
31 bittoO bit) round key RK3 of the 128-bit round key for encryption of the new 
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round by performing an XOR operation of a 32-bit (i.e., 63 rd bit to 32 nd bit) round key 

RK2 of the 128-bit round key of the new round with a 32-bit (i.e., 31 st bit to (f bit) 

round key PK3 of the 128-bit round key of the previous round. 
[64] A fifth XOR gate 1 18c also generates a 32-bit (i.e., 31 s ' bit to 0* bit) round key RK3 

of the 128-bit round key for decryption of the new round by performing an XOR 

operation of a 32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the 128-bit round key 

of the previous round with a next 32-bit (i.e., 3 1 5 ' bit to 0* bit) round key PK3 
[65] A fifth multiplexer 1 19b of the round XOR operation unit 1 17 is controlled 

according to the value of the mode signal inputted through the bus 200, and selectively 

determines input signals of the fifth XOR gate 1 1 8c. 
[66] The rijndael block cipher apparatus as constructed above according to the present 

invention performs the encryption and decryption processes as follows: 
[67] First, referring to FIGs. 1 and 2, the encryption and decryption operation of the 

rijndael block cipher apparatus will be explained. 
[68] If a round operation starts, a round key generation process is performed as the 

initial 128-bit input key is inputted to the round key generation unit 100 through the 

bus 200, and 128-bit input data is inputted to the shift/inverse-shift_row transform unit 

120. 

[69] At this time, the shift/in verse-shift_row transform unit 120 performs a shift/ 

inverse-shift by different numbers of bytes as defined in the rijndael block cipher 
algorithm. 

[70] If the round operation control unit 300 sends a signal that selects upper 64 bits 

(sel=T), the shift/inverse-shift_row transform unit 120 outputs the upper 64 bits 
through the first multiplexer 121. while if the round operation control unit 300 sends a 
signal that selects lower 64 bits (sel='0'), it outputs the lower 64 bits through the first 
multiplexer 121. 

[71] After the byte shift/inverse-shift_row operation as described above is performed, 

the upper or lower 64-bit data is inputted to the substitution/inverse-substitution 
transform unit 130, and the substitution or inverse substitution of the data is performed 
by a substitution box (S-box) or an inverse-substitution box (Si-box). At this time, the 
S-box and the Si-box serve as a substitution transform unit that outputs a one-byte 
output with respect to a one-byte input as defined in a specification of the rijndael 
algorithm. Also, since it is enough that the substitution/inverse-substitution transform 
unit 130 proposed according to the present invention processes only 64-bit data at a 
time, it requires only 8 S-boxes or 8 Si-boxes. 
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die bus 200 after the substi.utio„,.„verae-subs,i.u,ion ope rati „„ is performed 3, * 
descnbed above, the upper or lower 64-bit data is inputted to the mix/ 
mverae-nuxcolimi, transform u„i, ,50 ihrough the encryption output terminal V of me 
fira, demi^exer ,40, while if a mode signal ma, seleets me decryption process 

metdT ' H in r ,ed ' hK>Ugh ^ 20 °' "* ^ ° r to "» 64 " b « — " to 
unit 150 through me decryption output terminal T of the Do, demiftiplexer ,40 
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me bus 200, the 64-bu data tha, has passeti dirough me rrax/inverse-mixcokimu 

transform unit is inputted to the add-round-key .ransform unit 170 through the 

encryption output terminal V of tine second dermtiplexer ,60, while if the mode 

stgntd that ^eca me decryption process (mode=T, is in putted ^ me bus 200 _ 

T2 ,tn' S ° U1PU " ed ' hrOUgh deCryP ' i0 " OU """ ~ ° f -°nd de- 
muMexer 160 as a resultant data of the round operation. 

A,so. If die mode signal that sCecs the enayption process (mode= W ) is i„ putt ed 
mrough me bus 200, the 64-bi, data ma. has passed mrough the add-round-key 
f U °" " ° UtPUt,ed throU8h «*" .erminal V of me titird de- 

««. selects me decryption process (modern is i„p U , te d through the bus 200, 1 
64-bt. data . taputttd „, the mix/inverse-mixco^mr, .ransform unit ,50 through the 
decryption output terminal T of the third demUtiplexer 180. 

As described above, since me presen. invention is intended to reduce the use of 
hardwaie resources by sharing constituent elements commonly used in the encryption 
rocess and the decryption process, the respective transform units have both func tioTs 
of encryption and decryption. 

Meanwhile, teferring .o FIG. 3, the generation of round keys for encryption or 
decrypt™ racpured for ^ encryplion ^ rf ^ 

cpher apparatits according ,„ u« prese „ t invention and performed by tite round key 
generation unit ,00 will be exjiained. 

If me 4-clock or 3-c.ock round operation start signal and He round number signal 
» .»pu..ed from flie round operation comro, unit 300 .o Uie round operation unit 100 
the round operation starts. 

If the round operation starts, the round key generation uni. 1 10 starts to generate a 
round key RKofanew round using *e 128-bi. round key (i .e.. pre key, of 
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round stored in the 128-bit prekey register 111. 
[79] If the mode signal that selects the encryption (mode='0') is inputted through the bus 

200, the least significant 32 bits (PK3) of the 128-bit round key of the previous round 
of the 128-bit prekey register 1 1 1 is inputted to the shifter 1 14 through the second 
mulitplexer 113. 

[80] By contrast, if the mode signal that selects the decryption (mode=T) is inputted 

through the bus 200, the fifth XOR gate 1 18c performs an XOR operation of the lower 
64 bits PK2 and PK3 of the round key of the previous round, and temporarily stores 
the XORed 32 bits as the least significant 32 bits RK3 of a new round key. Simul- 
taneously, this value RK3 is inputted to the shifter 1 14 through the second multiplexer 
113. 

[81] The 32-bit key inputted to the shifter 1 14 is shifted to the left by one byte, and then 

substituted by the substitution transform unit 1 15 composed of 4 S-boxes. 

[82] As described above, the most significant 8-bit key of the substitution-transformed 

32-bit keys is XORed by the first XOR gate 1 16 with the constant value Rcon 
determined according to the order of the round indicated by the round number signal 
inputted from the round operation control unit 300. The resultant 8 bits outputted from 
the first XOR gate 1 16 are added to the remaining 24 bits outputted from the sub- 
stitution transform unit 1 15, and the added bits are inputted to the second XOR gate 
1 1 8 of the round XOR operation unit 117. 

[83] Especially, by limiting the part in which the constant values related to the round 

numbers are XORed during the round key generation process only to the upper 8 bits 
of the 32-bit data that has passed through the substitution transform unit 1 15, the effect 
of reduction of the hardware size can be obtained. For this, the rijndael algorithm spec- 
ification describes the structure that makes 32-bit constant value that is related to the 
round number by padding '0' of 24 bits to the 8-bit constant value, and then performs 
an XOR operation of the32-bit constant value with the 32-bit value that has passed 
through the substitution transform unit 1 15. 
[84] Then, the second XOR gate 1 18 performs an XOR operation of the 32 bits, which 

are obtained by adding the resultant 8 bits outputted from the first XOR gate 1 16 to the 
remaining 24 bits outputted from the substitution transform unit 1 15, with the most 
significant 32 bits PK0 of the round key of the previous round, and stores the resultant 
value of the XOR operation as the most significant 32-bit round key RK0 of the new 
round. 

[85] After the most significant 32-bit round key RK0 required for encryption or 
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decryption of the new round is generated as described above, the third XOR gate 1 18a 
in the case of encryption process, generates the next 32-bit round key RK1 of the new ' 
round by performing an XOR operation of the most significant 32-bit round key RKO 
of the new round with the upper 32-bit (i.e., 95 th bit to 64* bit) round key PKl of the 
previous round. In the case of decryption process, the third XOR gate 1 1 8a generates 
the next 32-bit round key RK1 of the new round by performing an XOR operation of 
the most significant 32-bit round key PKO of the previous round with the next upper 
32-bit round key PKl of the previous round. 

At this time, the third multiplexer 1 19 determines the input values of the third XOR 
gate 1 18a according to the mode signal that is inputted through the bus 200 and that 
indicates the encryption process or the decryption process. 

After the 32-bit round key RK1 next to the most significant 32-bit round key RKO 
of the new round is generated as described above, the next 32-bit round key RK2 and 
the least significant 32-bit round key RK3 for encryption or decryption are generated 
by the fourth XOR gate 1 18b and the fifth XOR gate 1 18c which operate in the same 
manner as the third XOR gate 1 18a. The fourth multiplexer 1 19a determines the input 
values of the fourth XOR gate 1 1 8b, and the fifth multiplexer 1 19b determines the 
input values of the fifth XOR gate 1 18c. 

Especially, the time required to generate the 128-bit round key of the new round in 
the unit of 32 bits corresponds to the whole 4-clock period of the round operation start 
signal inputted from the round operation control unit 300 in the case of encryption 
process, and corresponds to the whole 2-clock period in the case of decryption process 

In practice, when the first clock of the encryption round operation start signal 
becomes T, the most significant 32-bit round key RKO of the new round is generated 
through the second XOR gate 1 18, and whenever the second, third and fourth clocks 
become T, the 32-bit round keys RK1, RK2 and RK3 of the new round are generated 
through the third XOR gate 1 18a, fourth XOR gate 1 18b and fifth XOR gate 1 18c 
spectively. Also, when the first clock of the decryption round operation start signal 
becomes T. the most significant 32-bit round key RKO of the new round is generated 
through the second XOR gate 1 18, and when the second clock becomes T the 32-bit 
round keys RK1, RK2 and RK3 of the new round are simultaneous generated 
through the third XOR gate 1 18a, fourth XOR gate 1 18b and fifth XOR gate 1 18c 

In the case that the 3-clock round operation start signal is inputted from the round 
operation control unit 300 to the round operation unit 100, the round key generation 
unit 1 10 generates the encryption round key during the 2-clock period. 
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[91] At this time, the process of generating the most significant 32-bit (i.e., 127 th bit to 

96* bit) round key RKO of the 128-bit round key of the new round is performed when 
the first clock of the round operation start signal becomes T. 

[92] If the second clock of the round operation start signal becomes T. the third XOR 

gate 1 18a generates the 32-bit (i.e., 95* bit to 64 th bit) round key RK1 of the 128-bit 
round key for encryption of the new round by performing an XOR operation of the 
most significant 32-bit (i.e., 127 th bit to 96 th bit) round key RKO of the 128-bit round 
key of the new round with the 32-bit round key PK1 next to the most significant 32bits 
of the 128-bit round key of the previous round. 

[93] Simultaneous, the fourth XOR gate 1 18b generates a 32-bit (i.e., 63 ri bit to 32 nd 

bit) round key RK2 of the 128-bit round key for encryption of the new round by 
performing an XOR operation of a resultant value 
(RKO 0 PK1), 

which is obtained by the third XOR gate's XOR operation of the most significant 
32-bit (i.e., 127 th bit to 96* bit) round key RKO of the 128-bit round key of the new 
round with the 32-bit (i.e., 95 th bit to 64 th bit) round key PK1 next to the most 
significant 32-bit round key of the 128-bit round key of the previous round, with the 
32-bit (i.e., 63 rd bit to 32 nd bit) round key PK2 of the previous round. 
[94] Simultaneously, the fifth XOR gate 1 18c generates a 32-bit (i.e., 31 st bit to 0 th bit) 

round key RK3 of the 128-bit round key for encryption of the new round by 
performing an XOR operation of a resultant value 
(RKO © PK1), 

which is obtained by the fourth XOR gate's XOR operation of the most significant 
32-bit (i.e., 127 th bit to 96 th bit) round key RKO of the 128-bit round key of the new 
round that has been XORed by the third XOR gate 1 18a with the 32-bit (i.e., 95 th bit to 
64* bit) round key PK1 next to the most significant 32-bit round key of the 128-bit 
round key of the previous round, with the 32-bit (i.e., 63 rd bit to 32 nd bit) round key 
PK2 of the previous round to produce a resultant vabe 
(RKO 0 PK1 © PK2) 

of XOR operation, and then performing an XOR operation of the resultant value 
(RKO © PK1 © PK2) 

with the 32-bit (3 1 st bit to 0 th bit) round key PK3 of the previous round. 
[95] m the case that the 2-clock round operation start signal is inputted from the round 

operation control unit 300 to the round operation unit 100, the round key generation 
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unit 1 10 generates the encryption round key during the one-clock period. 

At this time, the process of generating the most significant 32-bit (i.e 127 th bit to 
96 bit) round key RKO of the 128-bit round key of the new round through the second 
XOR gate 118 is performed when the round operation start signal is inputted and the 
clock is simultaneously in a 'O'state. 
[97] If the first clock of the round operation start signal becomes T, the third XOR gate 

1 18a generates the 32-bit (i.e., 95 th bit to 64 th bit) round key RK1 of the 128-bit round 
key for encryption of the new round by performing an XOR operation of the most 
significant 32-bit (i.e., 127 th bit to 96 th bit) round key RKO of the 128-bit round key of 
the new round with the 32-bit round key PKl next to the most significant 32bits of the 
128-bit round key of the previous round. 

Simultaneous, the fourth XOR gate 118b generates a 32-bit (i.e. 63 * bit to 32 nd 
bit) round key RK2 of the 128-bit round key for encryption of the new round by 
performing an XOR operation of a resultant value 
(RKO © PKl), 

which is obtained by the third XOR gate's XOR operation of the most significant 
32-bit (i.e., 127 bit to 96 th bit) round key RKO of the 128-bit round key of the new 
round with the 32-bit (i.e., 95 th bit to 64 th bit) round key PKl next to the most 
significant 32-bit round key of the 128-bit round key of the previous round, with the 
32-bit (i.e., 63 bit to 32 nd bit) round key PK2 of the previous round. 

Simultaneous, the fifth XOR gate 1 18c generates a 32-bit (i.e., 31 st bit to 0 th bit) 
round key RK3 of the 128-bit round key for encryption of the new round by 
performing an XOR operation of a resultant value 
(RKO © PKl), 

which is obtained by the fourth XOR gate's XOR operation of the most significant 
32-bit (i.e., 127 th bit to 96 th bit) round key RKO of the 128-bit round key of the new 
round mat has been XORed by the third XOR gate 1 18a with the 32-bit (i.e., 95 th bit to 
64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit 
round key of the previous round, with the 32-bit (i.e., 63 rd bit to 32 nd bit) round key 
PK2 of the previous round to produce a resultant vakie 
(RKO © PKl © PK2) 

of XOR operation, and then performing an XOR operation of the resultant value 
(RKO © PKl © PK2) 

with the 32-bit (31 st bit to 0 th bit) round key PK3 of the previous round. 
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[100] In the case that the 2-clock round operation start signal is inputted from the round 
operation control unit 300 to the round operation unit 100, the round key generation 
umt 1 10 generates the decryption round key during the one-clock period. 

[101] At this time, the process of generating the most significant 32-bit (i.e., 127 th bit to 
96 bit) round key RK0 of the 1 28-bit round key of the new round through the second 
XOR gate 1 18 is performed when the round operation start signal is inputted and the 
clock is simiiltaneoudy in a '0'state. 

[102] If the first clock of the round operation start signal becomes T, the third XOR gate 
1 18a generates the next 32-bit round key RK1 of the new round by performing an 
XOR operation of the most significant 32 bits PK0 of the previous round with the next 
upper 32 bits PK1 of the previous round, and in succession the fourth XOR gate 1 18b 
and the fifth XOR gate 1 1 8c, which operate in the same manner as the third XOR gate 
1 18a, generate the next 32-bit round key RK2 for decryption and the least significant 
32-bit round key RK3. These processes are simultaneously performed during the first 
clock period. 

[103] Now, the operation of the rijndael block cipher apparatus that performs the 

encryption and decryption process as described above will be explained in more detail 
m accordance with the number of clocks of the round operation start signal inputted 
from the round operation control unit 300 to the round operation unit 100 

FIG. 4 is a first timing diagram illustrating a method of encrypting a rijndael block 
cipher according to the present invention. 

Referring to FIG. 4, if the four-clock round operation start signal and the round 
number signal are inputted from the round operation control unit 300 to the round 
operation unit 100 (step S400), the byte-shift transform and the substitution operation 
are successively performed with respect to the upper 64-bit data of the 128-bit round 
operation input data at the moment when the first clock becomes T (step S401) and 
these two processes are performed within one clock. The results of these processes are 
stored in the 64-bit data register 400. Also, at the moment when the first clock of the 
round operation start signal becomes T. the 128-bit round key generation process 
using the 128-bit round input key starts (step S401a). 

At the moment when the second clock of the round operation start signal becomes 
, the mixcolumn transform using the 64-bit data stored in the 64-bit data register 400 
is performed with its resultant values stored in the 64-bit data register 400 (step S402) 
and simufcaneoudy, the byte-shift transform and the substitution operation of the lower 
64-bit data of the round operation input data are successively performed (step S402) 
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These two processes are formed in one clock. Also, the resultant data of the byte-shift 
transform and the substitution operation of the lower 64-bit data are stored in a lower 
64-bit position of the 128-bit data register 500 that stores the round operation results. 
[107] At the moment when the third clock of the round operation start signal becomes T, 
the 64 bits stored in the 64-bit data register 400 are inputted to the add-round-key 
transform unit 170 so as to be added to the upper 64 bits of the round key generated by 
the round key generation unit 1 10, and the resultant value is stored in the upper 64-bit 
position of the 128-bit data register 500 (step S403). Also, the mixcoLmn transform of 
the lower 64-bit data of the 128-bit data register 500 is performed, and the resultant 
vabe is stored in the lower 64-bit position of the 128-biat data register 500 (step 
S403). 

[108] At the moment when the fourth clock of the round operation start signal becomes 
T, the lower 64 bits of the 128-bit data register 500 are inputted to the add-round-key 
transform unit 170 so as to be added to the lower 64 bits of the round key generated by 
the round key generation unit 1 10, and the resultant value is stored in the lower 64-bit 
position of the 128-bit data register 500 (step S404). 

[109] Accordingly, in the rijndael block cipher apparatus that performs the above- 
described encryption process, the 128-bit data of the 128-bit data register 500 is used 
as the 128-bit round operation input data of the next round, and the round key RK 
newly generated by the round key generation unit 1 10 and then stored in the 128-bit 
round key register 1 1 la is also stored in the 128-bit prekey register 1 1 1 to be used as 
the 128-bit round input key of the next round. Consequently, the encryption operation 
of one round is completed within a period of four clocks. 

[1 10] In the case that the encryption method as illustrated in FIG. 4 is performed by the 
rijndael block cipher apparatus according to the present invention, the round key 
generation unit 1 10 completes the round key generation process within a period of four 
clocks of the round operation start signal That is, as shown in FIG. 4, the add- 
round-key transform process (step S403), which is the process of adding the upper 
64-bit data to the round key, is performed after the third clock from the start of the 
round operation. After the second clock from the start of the round operation, only the 
upper 64-bit round key of the new round is generated, and at this time point, there is no 
problem in performing the encryption operation of the round operation since only the 
upper 64-bit round key is used. Also, since the time point when the fourth clock starts 
after third clock for the round operation coincides with the time point when all the 
128-bit round keys are generated, there is no problem in performing the add-round-key 
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transform process (step S404) for adding the lower 64-bit data to the lower 64-bit 
round key. 

[HI] Also, in the in the rijndael block cipher apparatus that performs the above-described 
encryption process, the 64-bit data register 400 is used as the storage space of the in- 
termediate data generated during the encryption process, and thus the result of the 
byte-shift transform of the upper 64-bit data does not affect the byte-shift transform of 
the lower 64-bit data. Also, since the upper 64-bit data and the lower 64-bit data are si- 
multaneously transformed, but are not transformed in the same manner during the 
same clock period, the number of hardware modules required for the transform can be 
reduced by half. Especially, the data generated for each clock is updated and stored in 
one storage space, and thus no additional storage space is required. That is, this case is 
directed to the structure that applies a pipeline structure but requires no additional 
hardware, and this structure will be applied in the same manner to methods of 
encrypting and decrypting the rijndael block cipher according to other embodiment of 
the present invention to be explained later. 
[112] FIG. 5 is a first timing diagram illustrating a method of decrypting a rijndael block 

cipher according to the present invention. 
[113] Referring to FIG. 5, if the four-clock round operation start signal and the round 
number signal are inputted from the round operation control unit 300 to the round 
operation unit 100 (step S500), the byte-inverse-shift transform and the inverse- 
substitution operation are successively performed with respect to the upper 64-bit data 
of the 128-bit round operation input data at the moment when the first clock becomes 
T (step S501), and these two processes are performed within one clock. At this time, 
the resultant data is stored in the 64-bit data register 400. Also, if the first clock of the 
round operation start signal becomes T, the 128-bit round key generation process 
using the 128-bit round input key starts (step S501a). 
[1 14] At the moment when the second clock of the round operation start signal becomes 
T. the add-round-key transform for adding the 64-bit data stored in the 64-bit data 
register 400 to the upper 64 bits of the round key generated through the round key 
generation unit 1 10 is performed, and the resultant data is stored in the 64-bit data 
register 400 (step S502). Simultaneous, the byte- inverse-shift transform and the 
inverse-substitution of the lower 64-bit data of the round operation input data are suc- 
cessively performed, and the resultant data is stored in the lower 64-bit position of the 
128-bit data register (step S502). 
[115] At the moment when the third clock of the round operation start signal becomes T, 
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the 64-bit data stored in the 64-bit data register 400 is inputted to the mix/ 
inverse-mixcolumn transform unit 150, and the resultant data of the inverse- 
mixcokimn transform is stored in the upper 64-bit position of the 128-bit data register 
500 (step S503). Simultaneously, the add-round-key transform for adding the lower 
64-bit data that has passed through the inverse-substitution operation to the round key 
generated from the round key generation unit 1 10 is performed, and the resultant data 
is stored in the lower 64-bit position of the 128-biat data register (step S503). 
[1 16] At the moment when the fourth clock of the round operation start signal becomes 
T, the lower 64-bit data that has passed through the add-round-key transform is 
inputted to the mix/in verse-mixcolimn transform unit 150 to be inverse- 
mixcolumn-transformed, and the resultant data is stored in the lower 64-bit position of 
the 128-bit data register 500 (step S504). 

At this time, the 128-bit data of the 128-bit data register 500 is used as the 128-bit 
round operation input data of the next decryption round operation, and the 128-bit 
round key RK that is the result of the round key generation is stored in the 128-bit 
prekey register 1 1 1 so as to be used as the 128-bit round input key of the next round 
operation. Consequently, the decryption operation of one round is completed within a 
period of four clocks. 

In the case that the decryption method as illustrated in FIG. 5 is performed by the 
rijndael block cipher apparatus according to the present invention, the round key 
generation unit 1 10 completes the round key generation process within a period of two 
clocks of the round operation start signal That is, as shown in FIG. 5, since the add- 
round-key transform process (step S502), which is the process of adding the upper 
64-bit round key to the 64-bit data, is performed after the second clock from the start 
of the round operation, all the 128-bit round keys have already been generated at the 
time point of the second clock, and thus there is no problem in performing the round 
operation. 

FIG. 6 is a second timing diagram illustrating a method of encrypting a rijndael 
block cipher according to the present invention. 

Referring to FIG. 6, if the three-clock round operation start signal and the round 
number signal are inputted from the round operation control unit 300 to the round 
operation unit 100 (step S600), the byte-shift operation and the substitution operation 
of the upper 64-bit data are successively performed at the moment when the first clock 
becomes T, and the resultant data is stored in the 64-bit data register (step S601). 
Also, the round key generation process is simultaneous performed (step S601a). 
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[121] At the moment when the second clock of the round operation start signal becomes 
T, the 64-bit data stored in the 64-bit data register 400 is mixcobmn-transformed, and 
then added to the upper 64-bkt round key of the resultant data of the add-round-key 
transform unit 1 10. The resultant data of the add-round-key transform is stored in the 
64-bit data register 400 (step S602). SimuJtaneoudy, the byte-shift transform and the 
substitution operation of the lower 64-bit data are successively performed, and the 
resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step 
S602). w H 

[122] At the moment when the third clock of the round operation start signal becomes T, 
the 64-bit data stored in the 64-bit data register 400 is inputted to the upper 64-bit 
position of the 128-bit data register 500, and the lower 64-bit data of the 128-bit data 
register 500 is mixcolumn-transformed and then added to lower 64-bit round key of 
the round key generated by the round key generation unit 1 10. The resultant data is 
stored in the lower 64-bit position of the 128-bit data register 500 (step S603). 

At this time, the 128-bit data of the 128-bit data register 500 is used as the 128-bit 
round operation input data of the next round operation, and the round key RK 
generated by the round key generation unit 1 10 is stored in the 128-bit prekey register 
1 1 1 and then used as the 128-bit round input key of the next round. Consequendy, the 
encryption operation of one round is completed within a period of three clocks. 

In the case that the encryption method as illustrated in FIG. 6 is performed by the 
rijndael block cipher apparatus according to the present invention, the round key 
generation unit 1 10 completes the round key generation process within a period of two 
clocks of the round operation start signal That is, as shown in FIG. 6, since the add- 
round-key transform process (step S602), which is the process of adding the upper 
64-bit round key to the upper 64-bit data, is performed after the second clock from the 
start of the round operation, all the 128-bit round keys have already been generated at 
the time point of the second clock, and thus there is no problem in performing the 
round operation. 

FIG. 7 is a second timing diagram illustrating a method of decrypting a rijndael 
block cipher according to the present invention. 

Referring to FIG. 7, if the three-clock round operation start signal and the round 
number signal are inputted from the round operation control unit 300 to the round 
operation unit 100 (step S700), the byte-inverse-shift transform and the inverse- 
substitution operation are successively performed with respect to the upper 64-bit data 
of the 128-bit round operation input data at the moment when the first clock becomes 
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T, and the resultant data is stored in the 64-bit data register 400 (step S701). Also, the 
round key generation process starts simultaneous with these transforms (step S701a). 
[127] When the second clock of the round operation start signal becomes T, the add- 
round-key transform for adding the 64-bit data stored in the 64-bit data register 400 to 
the upper 64-bit round key of the round key generated by the round key generation unit 
1 10 is performed, and the resultant data is inputted to the mix/inverse-mixcolumn 
transform unit 150. The inverse-mixcolumn-transformed data is stored in the 64-bit 
data register 400 (step S702). Simultaneously, the byte-inverse-shift transform and the 
inverse-substitution transform of the lower 64-bit data of the round operation input 
data are successively performed, and the resultant data is stored in the lower 64-bit 
position of the 128-bit data register (step S702). 
[128] At the moment when the third clock of the round operation start signal becomes T, 
the 64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit 
position of the 128-bit data register 500, and the add-round-key transform for adding 
the lower 64-bit data of the 128-bit data register 500 to the lower 64-bit round key of 
the round key generation unit 1 10 is performed. The resultant data of the add- 
round-key transform is then inverse-mixcobmn-transformed, and the resultant data of 
the inverse-mixcolumn transform is stored in the lower 64-bit position of the 128-bit 
data register 500 (step S703). 

At this time, the 128-bit data of the 128-bit data register 500 is used as the 128-bit 
round operation input data of the next round operation, and the 128-bit round key RK 
generated by the round key generation unit 1 10 is stored in the 128-bit prekey register 
1 1 1 so as to be used as the 128-bit round input key of the next round operation. Con- 
sequently, the decryption operation of one round is completed within a period of three 
clocks. 

In the case that the decryption method as illustrated in FIG. 7 is performed by the 
rijndael block cipher apparatus according to the present invention, the round key 
generation unit 1 10 completes the round key generation process within a period of two 
clocks of the round operation start signal That is, as shown in FIG. 7, since the add- 
round-key transform process (step S702) for adding the upper 64-bit round key to the 
upper 64-bit data is performed after the second clock from the start of the round 
operation, all the 128-bit round keys have already been generated at the time point of 
the second clock, and thus there is no problem in performing the round operation. 

FIG. 8 is a third timing diagram ilbstrating a method of encrypting a rijndael block 
cipher according to the present invention. 
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[132] Referring to FIG. 8, if the two-clock round operation start signal and the round 
number signal are inputted from the round operation control unit 300 to the round 
operation unit 100 (step S800), the byte-shift transform, the substitution transform, the 
mixcolumn transform and the add-round-key transform are successively performed 
with respect to the upper 64-bit data of the round input data when the first clock 
becomes T, and the resultant data is stored in the 64-bit data register 400 (step S801). 
Simultaneous, the round key generation process (step S801a) is performed, and the 
add-round-key transform of the upper 64-bit round key of the generated round key is 
performed. These processes are performed in a period of one clock. 

[133] When the second clock of the round operation start signal becomesT, the byte-shift 
transform, the substitution transform, the mixcolumn transform and the add-round-key 
transform are successively performed with respect to the lower 64-bit data of the round 
input data, and the resultant data is stored in the lower 64-bit position of the 128-bit 
data register 500 (step S802). Also, the add-round-key transform of the lower 64-bit 
round key of the round key generated in the round key generation process is 
performed. At this time, the 64-bit data stored in the 64-bit data register 400 is stored 
in the upper 64-bit position of the 128-bit data register 500, and the 128-bit round key 
RK newly generated by the round key generation unit 1 10 is stored in the 128-bit 
round key register 1 1 la and backed up in the 128-bit prekey register 111. Con- 
sequently, the encryption operation of one round is completed within a period of two 
clocks. 

[134] In the case that the encryption method as illustrated in FIG. 8 is performed by the 
rijndael block cipher apparatus according to the present invention, the round key 
generation unit 1 10 completes the round key generation process within a period of one 
clock of the round operation start signal That is, as shown in FIG. 8, since the add- 
round-key transform process (step S801) for adding the upper 64-bit round key to the 
upper 64-bit data is performed after the first clock from the start of the round 
operation, all the 128-bit round keys have already been generated at the time point of 
the first clock, and thus there is no problem in performing the round operation. 

[135] Actually, the round key generation unit 1 10 as illustrated in FIG. 3 generates RK1 
using RK0, and RK2 using RK1. The round key generation unit 1 10 does not generate 
RK3 using RK2, but generates RK0 in a state that the round operation start signal is 
inputted and the clock becomes , 0' simultaneoudy. When the first clock becomes T, 
the round key generation unit 1 10 generates RK1 by XORing RK0 with PK1, RK2 by 
XORing RK0 with PK1 and PK2, and RK3 by XORing RK0 with PK1, PK2 and PK3, 
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simultaneoudy. 

[136] FIG. 9 is a third timing diagram ilbstrating a method of decrypting a rijndael block 

cipher according to the present invention. 
[137] Referring to FIG. 9, if the two-clock round operation start signal and the round 
number signal are inputted from the round operation control unit 300 to the round 
operation unit 100 (step S900), the byte-inverse-shift transform, the inverse-sub- 
stitution transform, the add-round-key transform and the inverse-mixcolumn transform 
are successively performed with respect to the upper 64-bit data of the round input data 
when the first clock becomes T , and the resultant data is stored in the 64-bit data 
register 400 (step S901). These processes are performed in a period of one clock. Si- 
multaneous, the round key generation process (step S901a) for decryption is 
performed, and the add-round-key transform of the upper 64-bit round key of the 
round key generated by the round key generation unit 1 10 is performed. 
[138] When the second clock of the round operation start signal becomes T, the byte- 
inverse-shift transform, the inverse-substitution transform, the add-round-key 
transform and the inverse-mixcolumn transform are successively performed with 
respect to the lower 64-bit data of the round input data, and the resultant data is stored 
in the lower 64-bit position of the 128-bit data register 500 (step S902). These 
processes are performed in a period of one clock. Also, the lower 64-bit round key of 
the round key generated prior to one clock by the round key generation unit 1 10 is 
used for the add-round-key transform. At this time, the 64-bit data stored in the 64-bit 
data register 400 is stored in the upper 64-bit position of the 128-bit data register 500 
and the 128-bit round key RK newly generated by the round key generation unit 1 10 is 
stored in the 128-bit round key register 1 1 la and backed up in the 128-bit prekey 
register 111. Consequently, the decryption operation of one round is completed within 
a period of two clocks. 

[139] In the case that the decryption method as illustrated in FIG. 9 is performed by the 
rijndael block cipher apparatus according to the present invention, the round key 
generation unit 1 10 completes the round key generation process within a period of one 
clock of the round operation start signal That is, as shown in FIG. 9, the add- 
round-key transform process (step S901) for adding the upper 64-bit round key to the 
upper 64-bit data is performed after the first clock from the start of the round 
operation, but all the 128-bit round keys have already been generated at the time point 
of the first clock, and thus there is no problem in performing the round operation. 

[140] Actually, the round key generation unit 1 10 as illustrated in FIG. 3 generates RKO 
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in a state that the round operation start signal is inputted and the clock becomes V si- 
multaneously. When the first clock becomes T, the round key generation unit 1 10 
generates RK1 by XORing RKO with PK1, RK2 by XORing PK1 with PK2, and RK3 
by XORing PK2 with PK3, simultaneously. 
[141] As described above, the rijndael block cipher apparatus according to the encryption 
method as illustrated in FIG. 8 and the decryption method as illustrated in FIG. 9 is a 
model suitable to be applied to a smart card, a USDVI (User Subscriber Identity 
Module) card, a SIM card, etc., that have a small size, a low power consumption, and a 
low operational frequency characteristic. 
Industrial Applicability 

As apparent from the above description, the rijndael block cipher apparatus and the 
encryption/decryption method thereof according to the present invention can encrypt 
and decrypt important data that requires security at high speed by being mounted in a 
mobile terminal such as a cellular phone and a PDA or a smart card, which requires a 
high-rate and small-sized cipher processor, and can perform a round operation with 
respect to upper 64 bits and lower 64 bits which are divided from 128-bit input data. 
The present invention has the following effects: 

First, the cipher apparatus according to the present invention has a small size and 
can encrypt/decrypt real-time data at high speed by repeatedly using the round 
operation device in the apparatus. 

Second, since the cipher apparatus according to the present invention encrypts/ 
decrypts block cipher data in real time using the round operation device applying a 
rijndael algorithm, it can provide a higher-graded security in comparison to an 
operation device applying the existing DES (Data Encryption Standard). 

Third, the rijndael encryption/decryption round operation device of the cipher 
apparatus according to the present invention has the advantage that it can encrypt/ 
decrypt block cipher data in real time by adding a simple controller that repeats the 
round operation for a predetermined number of times. 

Fourth, the round operation device of the cipher apparatus according to the present 
invention can rapidly encrypt/decrypt data in real time although it has a small size that 
is almost half the size of the existing round operation device in the unit of 128 bits. 

Fifth, the round operation device of the cipher apparatus according to the present 
invention can be implemented using a proper method according to its application 
fields, and in the case of applying to a system that is irrespective of the amount of 
hardware resource used, it can obtain a two-times high speed of data encryption/ 
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decryption by applying a round process in the unit of 128 bits instead of a round 
process in the unit of 64 bits. 
[ 149] The forgoing embodiments are merely exemplary and are not to be construed as 
limiting the present invention. The present teachings can be readily applied to other 
types of apparatuses. The description of the present invention is intended to be il- 
lustrative, and not to limit the scope of the claims. Many alternatives, modifications, 
and variations will be apparent to those skilled in the art. 



